D Steward wrote:
Because I don't believe a solution such as fail2ban will scale (it can't be healthy having tens of thousands of IPs in iptables), I use denyhosts
Wherever possible I use layer 2 bridging OpenBSD firewalls in front of my networks, I don't have a problem with brute force attacks but it seems it can scale to tens of thousands of IPs without a problem. I'm not sure if iptables has similar capabilities or not --
http://www.openbsd.org/faq/pf/tables.html
"[..]Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses"
And the pf equivilent to the iptables throttling:
http://www.openbsd.org/faq/pf/filter.html
An example:
table <abusive_hosts> persist block in quick from <abusive_hosts>
pass in on $ext_if proto tcp to $web_server \ port www flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush)
This does the following:
* Limits the maximum number of connections per source to 100 * Rate limits the number of connections to 15 in a 5 second span * Puts the IP address of any host that breaks these limits into the <abusive_hosts> table * For any offending IP addresses, flush any states created by this rule. ---
I don't like/use OpenBSD for anything other than firewalls. But I do think as a firewall, pf really can't be beat, the configuration for typical rules just 'flows'. IPTables by comparison is so cryptic. (speaking as a past user of ipfwadm, ipfw, ipchains, iptables, pf, and Cisco PIX, which is probably the worst of the ones I've used).
I use linux pretty much everywhere else other than firewalls. Even my preferred network gear - load balancers and switches run linux (commercial variants).
nate